Network Security Missing Gapa-1.pdf · –ASERT has seen 2.63B unique IPv4 addresses (~71% theoretical) –(2^32 – 588,514,304) public addresses –ASERT monitors 1.76M “dark”
Post on 12-Jul-2020
0 Views
Preview:
Transcript
Network Security Missing Gap
Tony Teo
Regional SE Director – APAC
tteo@arbor.net
2
CDNs
Mobile
Carriers
SaaS
Cloud
Providers
Enterprise
Perimeter Mobile
WiFi
Employees
Remote
Offices
Internal
Apps
Never see the external threat traffic
Can’t withstand a direct attack
Never see the threat already
inside enterprise
Existing Solutions Have Critical Gaps
Service
Providers
Corporate
Servers
DDoS
Advanced Threat
3
DDoS Challenges
4
Weak in DDoS
Countermeasure Can be DDoSed
• Firewall, IPS, WAF, Load
Balancer are Stateful
Architecture
• Small packet traffic can
spike the CPU resources
Not Optimized for DDoS Protection
• Add-On DDoS features
not effective against
complex application layer
DDoS attack.
• Signature based detection
is effective against Flood
attack
• Cannot protect against
DDoS of upstream ISP
link.
5
Today’s DDoS attacks can cause (1) saturation upstream, (2)
state exhaustion, or (3) service outages – many times a single
attack can result in all three – and all with the same end result:
critical services are no longer available!
Modern DDoS Attacks Are Complex & Diverse
5
Load Balancer
DATA CENTER
Attack Traffic Good Traffic T
he B
road
Im
pact
of
DD
oS
Att
ack
s
IPS
6
Arbor Cloud
(ATLAS)
Pravail Availability
Protection System See and stop the threat
anywhere Stop
the threat
CDNs
Mobile
Carriers
SaaS
Cloud
Providers
Enterprise
Perimeter Mobile
WiFi
Employees
Remote
Offices
Threat Dashboard
Total DDoS Protection
Internal
Apps
Service
Providers
Corporate
Servers
Never see the threat already
inside enterprise
Peakflow SP/TMS
Cloud
Signaling
7
MAINTAINS LEAD IN OVERALL MARKET AND
HIGH-GROWTH SEGMENTS
Source: DDoS Prevention Appliances Biannual Worldwide and Regional Market Share, Size, and Forecasts: 1st Edition Report Excerpts June 2014 ,By Analyst Jeff Wilson
In 1Q14 total DDoS prevention appliance revenue, Arbor ranks first with 48.8%; they maintain a strong leadership position despite having a wide range of challengers.
DDoS Prevention Worldwide Quarterly Revenue Market Share, 3Q13
8
Source: Frost & Sullivan
Me
ets
Ma
rke
t D
em
an
ds
Market Penetration
Emerging Competitor
Market Challenger Market Leader
Market Contender
Competitive Landscape
Key takeaway: Changing technologies and customer requirements leave significant potential for
advancement in the competitive landscape.
Competitive Landscape Total DDoS Mitigation Market: Global, 2013
Arbor Networks
Black
Lotus
Corero
Network
Security
Prolexic
Radware
Huawei
Verisign Juniper
Networks
Neustar
NSFOCUS
Fortinet
Imperva
(Incapsula)
Rio Rey
Akamai
Source: A custom excerpt from
Frost & Sullivan’s Global DDoS
Mitigation Market Research Report
(NDD2-72) July, 2014
9
1. ATLAS sensors are deployed in global Internet darknet space to discover and classify attack activity.
2. This information is sent to an ATLAS central repository where it is combined with Arbor Peakflow, third-party, and vulnerability data.
3. ASERT analyzes combined data and converts into actionable intelligence which is posted on the ATLAS public portal.
ASERT Datasets: ATLAS Sensors
10
The Arbor ATLAS Initiative
290+ ISPs sharing real-time data – Automated hourly export of XML file to Arbor server (HTTPS) – File is anonymous, only tagged with
– User Specified Region e.g. Europe – Provider Type (self categorized) e.g. Tier 1
Arbor has extensive sharing network – Over a hundred national CERT teams (~50% coverage) – Large cross-section of the security industry, through various sharing groups – ATLAS portal has 711 unique users, registering 6,006 ASNs for reporting
ATLAS Factoids
– ASERT has data for 44,570 ASNs of 45,369 ASNs total (~98%) – ASERT has seen 2.63B unique IPv4 addresses (~71% theoretical)
– (2^32 – 588,514,304) public addresses – ASERT monitors 1.76M “dark” IPv4 addresses
– The 6,006 ASNs provided ASERT intelligence maps to 1.25B IPv4 hosts (48%)
120+ TB ( Approx 1/3 of Daily
world Internet Traffic )
11
Did you know?
Arbor Networks collaborated with Google Ideas to create the Digital Attack Map (www.digitalattackmap.com), a data visualization that maps global
distributed denial of service (DDoS) attacks.
This Attack Map leverages Arbor’s ATLAS data, allowing users to explore historical DDoS trends in DDoS attacks, making the connections to
related news on any given day.
12
Global Intelligence. Local
Protection.
We see things others can’t
13
DDoS campaigns & Advanced Threats
• IP reputation feed for active DDoS campaigns
• IP & DNS reputation for advanced threats
13
ISP 2
ISP 1
ISP n
ISP
Target
Applications &
Services
DATA
CENTER
IPS
Load Balancer
Attack Traffic
Good Traffic
ASERT
AIF Reputation Feed
14
DDoS & Malware Detection
AIF Standard Feed Support Capabilities
DDoS Threats
IP Geo-Location
Web Crawler Identification
Command and Control
Malware
AIF Advanced Feed Support Capabilities
Location-Based Threats
Email Threats
Targeted Attacks
Mobile
STANDARD FEED ADVANCED FEED
• Incorporates Domain & IP Reputation data to expand breadth of coverage
• Improves accuracy of attack detection
• Establishes confidence levels based on real-time Internet activities
• Provides continuous research on known threats
ATLAS Intelligence Feeds
15
Multi-Tier DDoS : The Cloud Signaling
Arbor Peakflow
SP / TMS-based
DDoS Service
Arbor Pravail APS
Data
Cen
ter
Netw
ork
Firewall / IPS / WAF
Pu
blic
Fac
ing
Serv
ers
Subscriber Network Subscriber Network
Internet Service Provider 1. Service Operating
Normally
2. Attack Begins & Blocked by Pravail
3. Attack Grows Exceeding Bandwidth
4. Cloud Signal Launched
5. Customer Fully Protected!
Cloud Signaling Status
Unite the Enterprise and Service & Cloud Providers via Arbor’s Cloud Signaling
Coalition
Arbor Cloud
16
Advanced Threat Challenges
17
What is dwell time?
Dwell time refers to how much time attackers
have spent inside your system before discovery
and mitigation.
17
Attacks in the later stages of the kill chain are taking up residence in your network.
Once inside the network, attacks get more difficult to track and identify.
18
THREAT
DETECTED
2 9 1 DAYS
RECON
1.
GETS IN
2.
SPREADS 3.
COMMAND
OUT
4.
STEALS/
ACTS
5.
Time Lapsed Detecting An Advanced Threat
19
APT Operation – Long Term Objective
20
Why Pravail Security Analytics
1. Easy to deploy
2. Full context of an attack
in minutes
3. See attacks as they
happen
4. Loops data to reveal
undetected attacks
5. ATLAS delivers high
fidelity security
intelligence based on
global attack traffic.
• .
Purpose Built “Hunting” Solution To Empower Your
Security Teams
Pravail Security Analytics Operation
21
Packet Capture
Security Intelligent
Big Data Engine
Data Looping
Security Report
Pravail Security Analytics Data Looping
22
Packet Capture
Security Intelligent
Big Data Engine
Data Looping
Security Report
23
Month 1 Traffic/PCAP Month 2 Traffic/PCAP Month 3 Traffic/PCAP
Total Analytics data after 1 month
Total Analytics data after 2 months
Total Analytics data after 3 months
Zero Day attack here
All Traffic Looped - Zero Day not found
All Traffic Looped - Zero Day FOUND
Now that Zero Day
attack has been
identified, the attack
timeline can be
established
All Traffic Looped - Zero Day not found
Detection capability update but without signature for the Zero Day attack
Detection capability update INCLUDING signature for the Zero Day attack
Pravail Security Analytics for 0 Day Exploit Hunting
24
Hunting 0-Day Attack
25 25
t=0
0 Day Vulnerability Discovered by
Hacker
0 Day Vulnerabilities / Attack Challenges
26 26
t=0
0 Day Vulnerabilities / Attack Challenges
Good guy UNAWARE of New
0 Day Vulnerability
27 27
t=0 t=3
0 Day Exploit Launched
0 Day Vulnerabilities / Attack Challenges
28 28
t=5 CnC
t=3
0 Day Vulnerabilities / Attack Challenges
29
0 Day Vulnerabilities / Exploits Challenges
29
• What do you do when you receive a vulnerabilities disclosure ?
• Patch affected system
t=0 t=50
30 30
t=0 t=50 t= 53
PROTECTED
t=3
0 Day Vulnerabilities / Attack Challenges
NO PROTECTION
31 31
Traditional Security Solution for 0 Day Exploit Hunting
Mean time to detect 0 Day Attack timeline = Never ?
WAF
FW
SIEM
AV
LOGS
PACKET CAPTURE
HOSTS
PERIMETER INTERNAL NETWORK
IPS
SandBox
Block Alert
Block Alert
Block Alert
Block Alert
t > 50 Correlated Block Alert
Block Alert
t=0 t=3 t=50
32 32
Month 1 Traffic/PCAP Month 2 Traffic/PCAP Month 3 Traffic/PCAP
Total Analytics data after 1 month
Total Analytics data after 2 months
Total Analytics data after 3 months
Zero Day attack here
All Traffic Looped - Zero Day not found
All Traffic Looped - Zero Day FOUND
Now that Zero Day
attack has been
identified, the attack
timeline can be
established
All Traffic Looped - Zero Day not found
Pravail Security Analytics for 0 Day Exploit Hunting
t=0 t=3 t=50
Attack Dwell Time
Mean time to detect an 0 Day attack timeline = Minutes
33 33
t=0 t=3
0 Day Exploit Launched
0 Day Vulnerabilities / Attack Challenges
Attack Infection Point !!
34 34
t=5 CnC
t=3
0 Day Vulnerabilities / Attack Challenges
Pravail
Detect, Play, Pause & Rewind the threat / attack lurking
inside the enterprise
CDNs
Mobile
Carriers
SaaS
Cloud
Providers
Enterprise
Perimeter Mobile
WiFi
Employees
Remote
Offices
Threat Dashboard
Arbor’s Solution Bridges the Gaps
Internal
Apps
Service
Providers
Corporate
Servers
Security Analytics Can’t
withstand a direct attack
Never see the external threat traffic
Arbor Overview
DDoS Advanced Threats Arbor Cloud Cloud Signaling
~100 Tbps Visibility
Good traffic Malicious traffic & malware
Public Clouds
Corporate Networks
Mobile Carrier
Private Clouds
Service Provider
Mobile User/ Attacker
Internal Employee
NSI Mobile SP SP/TMS
ATLAS/ASERT SP/TMS APS APS
Arbor Networks-Wide Product Portfolio
SA
40% of global internet traffic monitored by ATLAS
90% of Tier 1 and 70% of Tier 2 Service Providers
13+ years experience on Delivering innovative security
technologies
Thank You
top related